PGP Full Disk Encryption FAQ
About PGP
What is PGP? What is PGP Desktop?
Pretty Good Privacy (PGP) is data privacy and protection software that utilizes encryption and
authentication to hide information. With PGP, a computer's hard disk can be encrypted to render it
unreadable to unauthorized users without the encryption passphrase or a recovery token, even if the
disk is removed from the computer. PGP can also be used to digitally sign email, though LOGOS does not
yet implement this feature. PGP Desktop is a suite of encryption applications from PGP Corporation
(now owned by Symantec). LOGOS licenses the Whole Disk Encryption feature of PGP Desktop.
What is Whole Disk Encryption?
Whole Disk Encryption (WDE) is the encryption of every single bit of data on a hard disk, including not
just files and programs, but also temporary files, file metadata, and the disk's empty space. WDE's total
encryption protects the data by rendering the contents of the disk unreadable to anyone who does not
know the encryption passphrase, even if the disk drive is removed from the computer. WDE also
requires pre-boot authentication, meaning your computer will not boot unless the correct passphrase is
entered.
Why should I use PGP Whole Disk Encryption?
An encrypted disk protects all stored data from unauthorized access in the event of computer theft or
loss. PGP should be used on any laptop computer, whether company-owned or personally owned, that
is used to access LOGOS internal data or file services. PGP should also be used on flash drives and other
media that are used to store or transport confidential information.
Where can I read more documentation/get more help with PGP Desktop?
Symantec has user guides and a searchable knowledge base about PGP Desktop products.
Using PGP Desktop
Where can I get PGP Desktop?
PGP Desktop can be downloaded from the LOGOS Software Center by LOGOS employees. Users may
also submit a ticket and someone from the Helpdesk will assist in installing the software.
How do I install PGP Desktop?
Installation instructions are available for Windows and Macintosh OS X. Please contact the
Helpdesk@logostech.net
How do I uninstall PGP Desktop?
Removal instructions are available for Windows. Please contact the Helpdesk@logostech.net
PGP Full Disk Encryption FAQ
What is PGP Desktop Enrollment, and why do I have to do it?
PGP Enrollment registers the computer with the company PGP server, where a backup of your
encryption keys is made to prevent a complete lock-out from your data in the event of a forgotten
passphrase or system failure. Encryption of the disk drive does not occur until successful enrollment.
Can I install PGP Desktop on more than one computer or external drive?
Yes, you can install and enroll PGP Desktop on as many computers and external drives as you need.
LOGOS's license for PGP Desktop is based on enrolled NetIDs and not individual computer or disk drive
installations.
Why does my computer seem slower/hotter/noisier after I enrolled PGP
Desktop?
Once enrolled, PGP Desktop will automatically begin the process of encrypting the disk drive. While you
can still use your computer during this process, the computer may respond more slowly than usual to
other tasks. Due to the increased disk activity, you may also notice a rise in the computer's internal heat
and additional noise from the disk drive or cooling fans. This is normal behavior while the drive is being
encrypted. Once fully encrypted, which may take several hours on drives with large amounts of storage
space, computer behavior should return to normal.
PGP Desktop says it will take [many hours] to encrypt my drive. Do I have to
leave the computer on the whole time?
During encryption you may sleep, hibernate, shutdown or restart the computer at any time without
resetting PGP's encryption progress. PGP will stop and resume encryption automatically as necessary
until it finishes encrypting the entire disk drive.
Passphrase and Data Recovery
I changed my LOGOS password and now I can't log in to my computer's PGP
prompt. What happened?
When you change your LOGOS password, PGP Desktop may not have updated its passphrase to match
your new password, particularly if you changed your password while logged in to a different computer
or if PGP Desktop has not had an opportunity to communicate with LOGOS's central PGP server. Enter
your previous password to log in to the PGP prompt, and then enter your new password (if required) to
log into the computer. If you are connected to the Internet, PGP Desktop should then be able to sync
your new password with its local passphrase to be the same.
PGP Full Disk Encryption FAQ
I've forgotten my password and can't access any of my encrypted data. What
do I do?
In Windows and because of the Single-Sign-On option, your PGP passphrase is usually the same as your
LOGOS password. If you've changed your password since last using your PGP-encrypted computer, try
using your former passphrase. If that does not work, or you cannot remember your former password,
you will need to get a recovery token to access your data.
Someone tried to log in to my computer without knowing my passphrase, and
now the computer is locked. What do I do?
Once PGP locks out authentication, the only way to regain access is to get a recovery token.
What is a recovery token? What is a "one-time" recovery token?
A recovery token is a separate passphrase generated by the LOGOS PGP server that is paired to the
encryption keys created by the PGP Desktop installation on your computer. Recovery tokens can be
used to log in to a PGP-protected computer when its original passphrase is lost or forgotten. A "onetime" recovery token can only be used to log in to a PGP-protected computer one time before it
becomes invalid. Recovery tokens are entered into the standard PGP passphrase dialogue box that
appears when the computer is powered on.
I need a recovery token. How do I get one?
Create a Helpdesk ticket to request a recovery token. You will need to speak with an Administrator to
verify your identity before a token may be issued.
I encrypted a flash drive/external disk drive, but when I plug it into a different
computer, it doesn't even show up. How can I access it?
Disk drives encrypted by PGP Whole Disk Encryption cannot be read unless connected to a computer
with PGP Desktop installed. If you wish to use an external drive with a computer that does not have PGP
Desktop, you may either erase and format the drive, destroying all data, or first connect the drive to a
computer that does have PGP Desktop, decrypt the disk drive to remove its protection, and then
connect it to the second computer.
My OS needs to be repaired, but when I boot to my repair utility it can't read
the encrypted drive. How can I repair my system?
If the system is bootable, and PGP Desktop can be started, you can decrypt the disk drive first before
booting to a repair utility. When repairs are complete, use PGP Desktop to re-encrypt the drive. If the
system is unbootable, some repair utilities such as Windows PE and BartPE support PGP plug-ins that
enable you to authenticate with your PGP passphrase and allow the repair utility to access the
encrypted drive.
PGP Full Disk Encryption FAQ
I installed a Mac OS X update and now my computer won't start. How do I fix
this?
It is possible for some Mac OS X updates to remove PGP's ability to access your encrypted system. This is
usually resolvable by creating and booting the computer to a PGP Recovery Disk, then downloading and
reinstalling the latest version of PGP with the assistance of LOGOS Helpdesk staff. Contact your
appropriate IT support resource for help with this process.
PGP WDE Local Self Recovery
What are the PGP WDE Local Self Recovery questions and what is the
advantage of configuring them?
PGP WDE Local self-recovery questions provide a way for users to access encrypted drives from the PGP
BootGuard screen if they have forgotten their passphrases. Users can log in by answering security
questions they have previously configured. When configured, users will not have to contact an
administrator for assistance.
How many questions have to be answered correctly for me to be able to start
my encrypted computer to access data?
You have to answer 3 out of 5 questions correctly in order to be able to access the encrypted computer.
I am an administrator, is it possible for me to predefine the PGP WDE local
self-recovery questions for the user on PGP Universal Server?
No, you can't predefine the questions for the users. PGP WDE local self-recovery questions can only be
configured locally on the computer by the individual user.
If I enable the PGP WDE Local Self Recovery questions in the policy, when will
the users be prompted to create the PGP WDE Local Self Recovery questions?
This happens during the enrollment after the user entered his/her SSO password.
Can I configure my own questions or do I have to select the ones from the list?
Yes, you can create your own questions. In the drop down menu you can choose to create your own
question.
I have forgotten the answers to my PGP WDE Local Self Recovery questions,
what do I have to do to be able to access my encrypted computer?
If you have forgotten the answers to your questions you will have to contact your administrator to
provide you with an alternative way to access your computer.
PGP Full Disk Encryption FAQ
I am an administrator and I have now decided that I want to disable the PGP
WDE local self-recovery questions for the users in the policy. Which affect will
it have on the users?
A: If you disable the feature in the policy then the existing user questions are removed. Not only will
new users not have access to this feature, existing users also cannot use their security questions. If you
later add the feature again, user security questions are not restored, and all users must configure new
questions.
Where are the Local Self Recovery questions stored?
The Local Self Recovery questions are stored in the PGP Bootguard. They are never uploaded to the
Universal Server.
Multi-user and Multi-OS Environments
How do I allow multiple people to sign in to a PGP-protected computer
without sharing a password?
Once PGP Desktop Enrollment is completed using a valid LOGOS account, additional passphrase users
may be added as authorized accounts to log into a PGP-protected disk. These accounts may be other
LOGOS accounts or local computer accounts. If using local accounts, you must specify the local
computer name in the "Domain" field.
Local passphrase user accounts cannot administer PGP services (such as enrollment or decryption). Only
those logged in with LOGOS accounts can access the PGP Desktop software settings. There is no
restriction on logging in to the local system with a non-LOGOS passphrase user account, and then
accessing PGP Desktop using a different account, but this can have implications on the Single Sign-On
features of PGP Desktop (i.e. if you enroll with PGP using the same ID under two different local
computer profiles, PGP may not log you in to the correct local account at boot time). To keep it simple, it
would be best for regular users of a system to either:
• Log in to their system using LOGOS domain credentials, and enroll with PGP using the same
credentials, or
• Log into their system with a local account with a name that matches their ID, or
• Log in as a local passphrase user with no matching ID, but do not enroll with PGP when
prompted.
I have a Parallels/VMWare/VirtualBox/other virtual machine on my
computer. Do I need to install PGP Desktop on the virtual machine as well?
A virtual machine exists as just a file on your computer. If your computer's disk is encrypted with PGP
Whole Disk Encryption, then that virtual machine file stored on that disk is also encrypted. You do not
need to install PGP Desktop on your virtual machine as well.
PGP Full Disk Encryption FAQ
User Submitted Questions
If one Mac is encrypted with PGP, and the other is not, can large amounts of
data/imagery be copied from one to the other using Target Disk Mode and
firewire?
Yes, data can be copied over any other system or external media. One thing to note is that files copied
off of a PGP WDE encrypted system are not encrypted. If you are copying files onto another
system/device that is encrypted the files will be encrypted. The encryption solution we have protects
data at rest, not in motion.
When I update my Logos password will my disk encryption password also be
updated, or is that a separate process?
Yes, your disk encryption password updates automatically to match the new Active Directory password.
How do I change my Windows Password with PGP WDE with Single Sign-On?
To synchronize your Windows password changes with PGP Whole Disk Encryption (PGP WDE), you must
change your password for Single Sign-On using the Change Password feature in the Windows Security
dialog box, which you access by pressing Ctrl+Alt+Del. You may also change your password when
prompted by Windows that your password will expire during logging in. To ensure successful
synchronization of your password please perform this change while directly connected to the Logos
network or over VPN.
To change your passphrase
1. Press Ctrl+Alt+Delete.
2. Type your old password.
3. Type and confirm your new password.
4. Click OK.
Single Sign-On automatically and transparently synchronizes with this new password with your PGP
WDE passphrase. You can use the new password immediately, in your next login attempt.
Caution: If you change your password in any other manner—via Domain Controller, the Windows
Control Panel, via the system administrator, or from another system—your next login attempt on the
PGP BootGuard screen will fail. You must then supply your old Windows password. Successful login on
the PGP BootGuard screen using your old Windows password then brings up the Windows Login
username/password screen. You must then log in successfully using your new Windows password, at
which time PGP WDE will synchronize with the new password.
PGP Full Disk Encryption FAQ
How do I change my encryption passphrase on Mac OS?
1. Click on the encryption lock at the top of your screen and select Change Passphrase…
2. Enter your current passphrase
3. Enter your new passphrase twice and click OK
PGP Full Disk Encryption FAQ
Can data be copied between two encrypted Macs in Target Disk Mode?
Yes, once you get passed the initial boot screen you should be able to copy data between both systems.
On the Mac, why are we using PGP instead of Mac OS X’s native encryption
scheme? (FileVault)
Symantec’s PGP was chosen as the leading enterprise solution for encryption because it meets the
requirements to protect data at rest on multiple operating systems (Windows, Mac OS X, and Linux).
The main advantage of using this software is the ability to provide centralized support to all Logos
users. For example, if you forget your PGP passphrase, or a file has been encrypted with a key that
becomes lost or corrupted, or data has been encrypted by a user no longer with the company, IT
support can assist with the recovery. IT support maintains the Whole Disk Encryption recovery tokens
and an additional decryption key which can be used to decrypt data encrypted with the software.
How will PGP affect programs reading large amounts of imagery? Imagery
read by Matlab? How will PGP affect other disk-access-intensive software?
The encryption software should not cause any significant performance issues with any applications,
regardless of the size of the files. You will experience slowdowns immediately after enabling encryption
because encrypting the disk can take 8-20 hours depending on the vintage of the equipment and size of
the disk. Once encryption completes, performance impact should be minimal as with any other
encryption solution.